Extension talk:LDAP Authentication/Generic LDAP Configuration Examples

From mediawiki.org
The following discussion has been transferred from Meta-Wiki.
Any user names refer to users of that site, who are not necessarily users of MediaWiki.org (even if they share the same username).


Error ?[edit]

AIs there an error between the text and the example found here... m:LDAP Authentication Configuration Examples#Configuration for an AD Server

I wouldn't dare change it because I haven't got this working for me yet but in the text it says the domain server is "exampledomain.example.com" yet in the example it has "$wgLDAPDomainNames = array( "exampleADDomain" );"

The domain name is whatever you want to use. It is just a key in an array. The servers used in that domain are named on the next line. The plugin is setup this way so that you can have multiple domains like:
$wgLDAPDomainNames = array( "exampleADDomain", "exampleNonADDomain" );
$wgLDAPServerNames = array ( "exampleADDomain"=>"exampleadserver.example.com", "exampleNonADDomain"=>"examplenonadserver.example.com" );
The above is provided incase you have a divided network that has matching usernames, and will (hopefully) one day move to a single sign on environment. Most settings (and every setting in the future) use an array to set settings for this purpose. Unfortunately right now all settings are not provided for multi-domain networks.
-- Ryan Lane

Active Directory[edit]

Following the steps in section 6.1, "Authenticating against MS AD", would I also have to do the steps in LDAP Authentication for "Adding WikiSysop" and "Windows Configuration"? Rlevse 12:47, 19 July 2006 (UTC)Reply

I discovered the steps in 6.1 work really well, in addition, I had to drop in LdapAuthentication.php (download from web), BUT FIRST make yourself a wiki account that has the same name as your ldap account, use WikiSysop to make it an admin/bureaucrat, make backup copies of pages you have under the wiki accounts, THEN do all this AD/LDAP stuff. Rlevse 19:01, 19 July 2006 (UTC)Reply
Yep, that's the way to do it. My instructions probably aren't very clear on that; I'll try to revise them soon
-- Ryan Lane

Hi! Anyone got the preference reading working? I can successfully authenticate against AD but the user email and full name are not configured. I thought that they would be read from AD as well. --gunnar 15:35, 1 August 2006 (UTC) sdasdReply

This is a great plugin, and a huge help in getting Mediawiki implemented where I work. I have a question though. Can this plugin be used in conjunction with group memberships in AD? I'm looking to see if I can create an AD group that would allow read only access to the wiki, another for read/write access, and another for SysOps access. Thanks for the help, and once again, great plugin.

The Hero Of Canton 17:17, 3 January 2007 (UTC)Reply

Yes. The newest version of the plugin (1.1c) allows for this specifically. I couldn't actually test this with AD, so you'll have to be the test subject, but from a technical point of view it shouldn't be any different than using posix, or groupofuniquenames groups. To configure it, you'll need to use the same options as you'd use for group based login restriction, except you just don't use the group restrictions. Here is info on how to configure it for AD; also, here is the [of the options], which explains which options are required for group syncronization, and which are required for group restriction.
After configuring the plugin to sync groups, you just need to add users to the LDAP groups you want them in, and then add the groups to MediaWiki with the permissions you want. When users log in they will either be added to or removed from groups according to what is in LDAP(AD).
Really support questions should be posted under the talk page of the regular documentation, so I'll post this over there as well.
--Ryan Lane 18:11, 3 January 2007 (UTC)Reply

Secure Sign-In  [edit]

I got LDAP login working using OpenLDAP and RedHat Enterprise Linux.  So, now my users are stored in an LDAP directory and log in to wiki using their LDAP account.  I want them to keep their passwords secure.  Is there a way I can now have MediaWiki only allow logins through SSL?  

I have SSL working on my server and https works, but how do I restrict the MediaWiki login to only use SSL?

This has been discussed on the LDAP Authentication discussion page, and the answer is I don't know. You need to ask the MediaWiki developers how to do this. My only suggestion is to disable http and only allow https.
Don't forget that you are pretty much wasting your time using https if you aren't using TLS/SSL with the plugin. If your question is how to use SSL in the plugin, it is just an option you set. If you have the option set, you can be sure it is using SSL/TLS because the plugin would fail otherwise.
-- User:Ryan lane

I figured it out. Once LDAP authentication is setup using TLS/SSL, Apache must be set up to use SSL. Then, to force user logins to be secure, add the following to httpd.conf:
RewriteEngine on
RewriteCond %{QUERY_STRING} ^title=Special:Userlogin
RewriteRule /(.*) https://<server url>/$1 [R,L,QSA]

where <server url> is the actual url.

I didn't see this discussed on the LDAP Authentication discussion page. Perhaps I missed it. This should probably be put into a simple how-to. No sense using LDAP authentication without using Apache/SSL to keep things secure.

I agree that this should be in a how-to, but it should be somewhere for mediawiki's configuration, and possibly linked to on the LDAP Authentication page. This isn't really a configuration for the plugin...
-- Ryan Lane

Also try

RewriteEngine on
RewriteCond %{SERVER_PORT} !443
RewriteCond %{REQUEST_URI} ^/(<path_to_wiki>/Special:Userlogin) [OR]
RewriteCond %{QUERY_STRING} title=Special:Userlogin
RewriteRule ^(.*)$ https://%{SERVER_NAME}/<path_to_wiki>/$1 [R=301,L,QSA]

MS LDAP Authentication from LAMP setup[edit]

is MS Active Directory domain authentication possible using LAMP? I dont have the possibility to install wiki on IIS/windows however i am using MS Active Directory. I tried some configs but logging always fails.